Virtual service provider zones

ABSTRACT

A service proxy services as an application programming interface proxy to a service, which may involve data storage. When a request to store data is received by the service proxy, the service proxy encrypts the data and stores the data in encrypted form at the service. Similarly, when a request to retrieve data is received by the service proxy, the service proxy obtains encrypted data from the service and decrypts the data. The data may be encrypted using a key that is kept inaccessible to the service.

CROSS REFERENCE TO RELATED APPLICATIONS

This application incorporates by reference for all purposes the fulldisclosure of U.S. Pat. No. 8,416,709, issued on Apr. 9, 2013, entitled“NETWORK DATA TRANSMISSION ANALYSIS MANAGEMENT,” U.S. patent applicationSer. No. 13/491,403, filed on Jun. 7, 2012, entitled “FLEXIBLYCONFIGURABLE DATA MODIFICATION SERVICES,” U.S. patent application Ser.No. 13/764,963, filed on Feb. 12, 2013, entitled “DATA SECURITYSERVICE,” and U.S. patent application Ser. No. ______, filedconcurrently herewith, entitled “DATA LOSS PREVENTION TECHNIQUES”(Attorney Docket No. 0097749-051US0).

BACKGROUND

The security of computing resources and associated data is of highimportance in many contexts. As an example, organizations often utilizenetworks of computing devices to provide a robust set of services totheir users. Networks often span multiple geographic boundaries andoften connect with other networks. An organization, for example, maysupport its operations using both internal networks of computingresources and computing resources managed by others. Computers of theorganization, for instance, may communicate with computers of otherorganizations to access and/or provide data while using services ofanother organization. Organizations may utilize complex data storagesystems to efficiently and cost effectively store data. In manyinstances, organizations configure and utilize data storage systemshosted and managed by other organizations, thereby reducinginfrastructure costs and achieving other advantages. These data storagesystems and other services may operate under multiple differentjurisdictions, each with their own rules and regulations. With suchcomplex use of computing resources to manage, ensuring that access tothe data is authorized and generally that the data is secure can bechallenging, especially as the size and complexity of suchconfigurations grow.

BRIEF DESCRIPTION OF THE DRAWINGS

Various embodiments in accordance with the present disclosure will bedescribed with reference to the drawings, in which:

FIG. 1 shows an illustrative example of an environment in which variousembodiments may be practiced;

FIG. 2 shows an illustrative example of an environment in which variousembodiments may be practiced;

FIG. 3 shows an illustrative example of an environment in which variousembodiments may be practiced;

FIG. 4 shows an illustrative example of another environment in whichvarious embodiments may be practiced;

FIG. 5 shows an illustrative example of a cryptography service inaccordance with at least one embodiment;

FIG. 6 shows an illustrative example of a process for processing arequest for a data key in accordance with at least one embodiment;

FIG. 7 shows an illustrative example of a process for processing arequest to decrypt a data key in accordance with at least oneembodiment;

FIG. 8 shows an illustrative example of a process for processing arequest to store data in accordance with at least one embodiment;

FIG. 9 shows an illustrative example of a process for processing arequest to retrieve data in accordance with at least one embodiment;

FIG. 10 shows an illustrative example of a database table transformationin accordance with at least one embodiment;

FIG. 11 shows an illustrative example of a process for processing adatabase query in accordance with at least one embodiment;

FIG. 12 shows an illustrative example of an environment in which variousembodiments may be practiced;

FIG. 13 shows an illustrative example of a process for storing customerdata in accordance with at least one embodiment;

FIG. 14 shows an illustrative example of a process for applying one ormore data loss prevention techniques in accordance with at least oneembodiment; and

FIG. 15 illustrates an environment in which various embodiments can beimplemented.

DETAILED DESCRIPTION

In the following description, various embodiments will be described. Forpurposes of explanation, specific configurations and details are setforth in order to provide a thorough understanding of the embodiments.However, it will also be apparent to one skilled in the art that theembodiments may be practiced without the specific details. Furthermore,well-known features may be omitted or simplified in order not to obscurethe embodiment being described.

Techniques described and suggested herein provide the ability to offervarious computing resource services, such as data storage services, invarious zones without the need to build full infrastructures in thosezones. In some examples, the zones correspond to facilities in differentgeopolitical boundaries. Various geographic regions may have their ownrules, laws and/or regulations with respect to the handling of otherpeople's data. For instance, one regulation may require that certaintypes of data remain in country. Similar regulations may be in force inmultiple geographic regions. At the same time, many organizations findit advantageous to utilize various computing resource services. Suchservices may not be available in all jurisdictions or better and/or moreeconomical services may be provided in other regions.

In many instances, compliance with such regulations may be achieved byencrypting data before the data leaves a regulated jurisdiction.Techniques of the present disclosure, accordingly, allow variousdata-related services to be provided to multiple geographic regionswhile maintaining compliance with the differing rules, laws and/orregulations. Generally, the techniques described and suggested hereinallow for the providing of services in multiple zones, where the zonesmay, but do not necessarily, correspond to different sovereign entities.For instance, different zones may be different computer networksgoverned by different entities, whether those entities be governmentalagencies of a sovereign entity, corporations, organizations, divisionswithin an organization, individuals and/or others. Other example zonesare discussed in more detail below.

In various embodiments, a service interface, such as a web serviceinterface, is provided in one zone. In some examples, the serviceoperates in an Internet Point of Presence (PoP). The service interfacemay operate as a virtual application programming interface (API)endpoint for a service whose supporting infrastructure is in anotherzone (e.g., under another political (legal) jurisdiction). Accordingly,the service interface may operate to receive and respond to requestssubmitted to the service interface while fulfillment of some or even allthe requests, may require the use of the infrastructure in the otherzone. In this manner, customers may utilize the service interface toutilize a service as if the customers were utilizing a service withfully supporting infrastructure in the zone. In other words, from theperspective of the customers, a computing resource provides instances ofa service in multiple zones, but behind the scenes, the processing of arequest for a particular zone may occur, at least in part, using theinstance of a service of another zone. For example, a web servicerequest to store data may be fulfilled by the service interface bytransmitting the data for persistent storage to the service in the otherzone. Similarly, a data retrieval request may be fulfilled by retrievingdata persistently stored in the infrastructure of the service in theother zone. In this manner, a full infrastructure does not need to beconstructed and maintained for every zone wherein there may be legalrestrictions on the export of certain types of information.

To comply with various rules, laws, regulations and/or preferences, someor even all data passing through the service interface to a service inanother zone may be encrypted using cryptographic keys that aremaintained within the zone of the service interface and/or generally ina zone that is outside of the zone of the supporting serviceinfrastructure. In this manner, while in the zone of the supportingservice infrastructure, the data is secure and inaccessible withoutaccess to appropriate cryptographic keys in another zone. The data thatis encrypted may be generally or selectively encrypted. The data whichis encrypted may also be configurable by a customer on behalf of whomthe data is stored. In addition, the data that is encrypted and whetherthe data is encrypted may be determined in accordance with one or moredata loss prevention (DLP) policies. In addition, while variousillustrative embodiments of the present disclosure utilize encryptionfor the purpose of illustration, various other techniques may also beused. For example, the various techniques described herein includevarious manipulation (mangling) of data, where the type of mangling tobe applied may be customer configurable.

Returning to the illustrative examples of encryption of data, in someembodiments, the service interface operating as an API proxy utilizes acryptography service within the same zone. The cryptography service maysecurely manage cryptographic keys used for encrypting and decryptingand possibly for performing other cryptographic operations, such asmessage signing. When data is to be encrypted, the service interface mayutilize the cryptography service to encrypt the data before the data istransmitted to the other service in the other zone. Similarly, when datais to be decrypted, the service interface may utilize the cryptographyservice to decrypt the data. Illustrative manners in which thecryptography service may be utilized appear below. An examplecryptography service can be found in U.S. patent application Ser. No.13/764,963, filed on Feb. 12, 2013, entitled “DATA SECURITY SERVICE,”which is incorporated herein by reference.

The instances of a service type of a service provider may be utilized bya customer to restrict access to certain data by certain individuals,such as to comply with one or more regulations. As an example, the setof operators (e.g., individuals with authority to make requests to aservice of the computing resource service provider on behalf of acustomer) may have different vetting properties or qualifications thananother set of operators for another service. For example, as notedabove and discussed in more detail below, a service provider, mayoperate a first service in a first region and a second service in asecond region (e.g., in a different legal jurisdiction than the firstregion) where, for at least some requests to the first service, thefirst service acts as a proxy for the second service. The operators ofthe first service may be required to have certain qualifications whichare different than the qualifications (if any) required for utilizingthe second service. Example qualifications include, but are not limitedto: having passed a background investigation; having a particularnationality or location; being subject to certain nondisclosureobligations; having a certain security clearance level; having a certainjob title (e.g., attorney); and the like. To enable enforcement of suchrestrictions, the service provider can require different authenticationcredentials for one service than for another service. As an example, asigning key used to sign requests to the first service may not be usablefor the second service. In this manner, distribution of signing keys toindividuals with the appropriate qualifications can be used to ensurethat data access is in compliance with various regulations despite thedata passing from one region to another.

FIG. 1 shows an illustrative example of an environment 100 in whichvarious embodiments may be practiced. In the environment illustrated inFIG. 1 a virtual service 102 is provided. The virtual service 102 may beconfigured to provide a service interface, such as a web serviceinterface, usable by customers 104 for the purposes of utilizing variouscomputing resource services. In some embodiments the virtual service 102operates as a proxy for a backing service 106. As discussed in moredetail below, the virtual service 102 and the backing service 106 may beseparate instances of the same overall service type (e.g., a datastorage service with network endpoints in different geographicalregions). For example, the backing service 106 may be a collection ofcomputing resources such as servers, data storage devices, andnetworking equipment configured to enable the operation of the computingresources in a network. The backing service 106 may provide theinfrastructure needed to process requests submitted to the virtual 102.For example, the virtual service 102 may lack sufficient storagecapacity to provide a data storage service. In other words, while thevirtual service 102 may include data storage devices, the amount ofstorage maintained in the virtual service 102 may be insufficient forprocessing the requests it receives without use of the backing service106. Customers 104, nevertheless, can utilize the virtual service 102for the purpose of utilizing data storage services.

As illustrated in FIG. 1, for example, the customer 104 may transmitdata to the virtual service 102, such as through a web service API callto the virtual service 102. The data may be transferred, for instance,in connection with a request to store the data. The virtual service 102may process the request to store data as if the request had beensubmitted to the backing service 106. For example, despite the virtualservice 102 lacking sufficient storage capacity to provide a datastorage service to customers 104, data provided to the virtual service102 may nevertheless be stored utilizing the infrastructure of thebacking service 106. As noted above, various jurisdictionalconsiderations may come into play when utilizing a data storage service.Accordingly, as illustrated in FIG. 1 the virtual service 102 and thebacking service 106 in some embodiments are implemented using physicalinfrastructure such as one or more data center facilities and/orcollections of servers, networking equipment, data storage, and thelike. In the example illustrated in FIG. 1, the virtual service 102 andbacking service 106 are in different countries, although differentjurisdictional entities are also considered as being within the scope ofthe present disclosure.

In order to prevent data that is transmitted to the virtual service 102from being stored in plaintext form in the backing service 106 which mayviolate one or more rules, laws, regulations and/or preferences, datafrom the customer transmitted from the virtual service 102 to thebacking service 106 may be encrypted. In various embodiments, the datais encrypted using a cryptographic key that is never provided (withoutthe consent and/or instruction of the customer 104) to a computingdevice in the jurisdiction in which the backing service 106 is located.For example, in some embodiments, the key used to encrypt the data ismaintained securely within the jurisdiction in which the virtual 102 islocated. As discussed in more detail below, some data may be providedfrom the virtual service 102 to the backing service 106 in plaintext(cleartext) form while other data may be encrypted. Further, some dataprovided to the virtual service 102 may not be transmitted to thebacking service 106, such as when such a transfer of information wouldviolate one or more DLP policies.

It should be noted that while FIG. 1 illustrates data being transmittedto the virtual service 102 by the customer 104 other ways in which thevirtual service 102 may obtain data that is transmitted to the backingservice 106 may be provided. For example, in some embodiments customersof the customer 104 utilize services of the customer 104 that areimplemented using computing resources of a computing resource serviceprovider. Data may be transmitted to the virtual service 102 directlyfrom these customers of the customer 104. As another example, customerdata transmitted to the virtual service 102 may be transmitted from acomputing device that is physically hosted by a computing resourceservice provider that operates the virtual service 102. For instance,the customer 104 may provide the virtual service 102 data from a virtualmachine instance implemented by the computing resource service providerutilizing a virtual computer system service such as described below.

In addition, while FIG. 1 illustrates data from the customer 104traveling to the virtual service 102 from outside the jurisdiction inwhich the virtual service 102 sits, the data may be provided from withinthat jurisdiction or from a different jurisdiction such as thejurisdiction in which the backing service 106 is located. It should befurther be noted that, while the present disclosure discusses variouscommunications and transmissions as coming from a customer 104 or otherentity, unless otherwise clear from context, it should be understoodthat such communications are initiated by one or more computing devicesof the customer 104, which may be operating pursuant to synchronous userinput and/or in accordance with automated processes. In other words,while the customer 104 may refer to an entity such as an organizationwhen data is described as traveling from the customer 104, unlessotherwise clear from context, the data is being provided from acomputing device of the customer 104 or a computing device operating onbehalf of the customer 104. Other variations and additional features arediscussed in more detail below.

FIG. 2 shows an illustrated example of an environment 200 in whichvarious embodiments of the present disclosure may be practiced. In theenvironment 200, a computing resource service provider 202 may provide avariety of services to a customer 204. The customer 204 may be anorganization that may utilize the various services provided by thecomputing resource service provider 202 to maintain and deliverinformation to its employees, which may be located in variousgeographical locations. Additionally, the customer 204 may be anindividual that could utilize the various services to deliver content toa working group located remotely. As illustrated in FIG. 2, the customer204 may communicate with the computing resource service provider 202through one or more communications networks 206, such as the Internet.Some communications from the customer 204 to the computing resourceservice provider 202 may cause the computing resource service provider202 to operate in accordance with various techniques described herein orvariations thereof.

As noted above, a computing resource service provider 202 may providevarious computing resource services to its customers. The servicesprovided by the computing resource service provider, in this example,include a virtual computer system service 208, a block-level datastorage service 210, a cryptography service 212 (also referred to as akey management service), a data storage service 214 and one or moreother services 216, although not all embodiments of the presentdisclosure will include all such services and additional services may beprovided in addition to or as an alternative to services explicitlydescribed herein. Each of the services may include one or more webservice interfaces that enable the customer 204 to submit appropriatelyconfigured API calls to the various services through web servicerequests. In addition, each of the services may include one or moreservice interfaces that enable the services to access each other (e.g.,to enable a virtual computer system of the virtual computer systemservice 208 to store data in or retrieve data from the data storageservice and/or to access one or more block-level data storage devicesprovided by the block data storage service).

The virtual computer system service 208 may be a collection of computingresources configured to instantiate virtual machine instances ontovirtual computing systems on behalf of the customers 204 of thecomputing resource service provider 202. Customers 204 of the computingresource service provider 202 may interact with the virtual computersystems' service (via appropriately configured and authenticated APIcalls) to provision and operate virtual computer systems that areinstantiated on physical computing devices hosted and operated by thecomputing resource service provider 202. The virtual computer systemsmay be used for various purposes, such as to operate as serverssupporting a website, to operate business applications or, generally, toserve as computing power for the customer. Other applications for thevirtual computer systems may be to support database applications,electronic commerce applications, business applications and/or otherapplications.

The block-level data storage service 210 may comprise a collection ofcomputing resources that collectively operate to store data for acustomer 204 using block-level storage devices (and/or virtualizationsthereof). The block-level storage devices of the block-level datastorage service 210 may, for instance, be operationally attached tovirtual computer systems provided by the virtual computer system service208 to serve as logical units (e.g., virtual drives) for the computersystems. A block-level storage device may enable the persistent storageof data used/generated by a corresponding virtual computer system wherethe virtual computer system service 208 may only provide ephemeral datastorage.

As illustrated in FIG. 2, the computing resource service provider 202may operate a cryptography service, which is described in more detailbelow in connection with FIG. 3. Generally, the cryptography service maybe a collection of computing resources collectively configured to manageand use cryptographic keys for customers of the computing resourceservice provider. Keys used by the cryptography service 212 may haveassociated identifiers that the customers can reference when submittingrequests to perform cryptographic operations (such as encryption,decryption and message signing) and/or other operations, such as keyrotation. The cryptography service may securely maintain thecryptographic keys to avoid access by unauthorized parties.

As noted, the computing resource service provider 202 may also includeone or more data storage services 214 which may include an on-demanddata storage service and/or an archival data storage service. Ason-demand data storage service may be a collection of computingresources configured to synchronously process requests to store and/oraccess data. The on-demand data storage service may operate usingcomputing resources (e.g., databases) that enable the on-demand datastorage service 208 to locate and retrieve data quickly, so as to allowdata to be provided in responses to requests for the data. For example,the on-demand data storage service may maintain stored data in a mannersuch that, when a request for a data object is retrieved, the dataobject can be provided (or streaming of the data object can beinitiated) in a response to the request. As noted, data stored in theon-demand data storage service may be organized into data objects. Thedata objects may have arbitrary sizes except, perhaps, for certainconstraints on size. Thus, the on-demand data storage service may storenumerous data objects of varying sizes. The on-demand data storageservice may operate as a key value store that associates data objectswith identifiers of the data objects which may be used by the customer204 to retrieve or perform other operations in connection with the dataobjects stored by the on-demand data storage service 210. The on-demanddata storage service may also be accessible to the cryptography service212. For instance, in some embodiments, the cryptography serviceutilizes the on-demand data storage service to store keys of thecustomers in encrypted form, where keys usable to decrypt the customerkeys are accessible only to particular devices of the cryptographyservice 212. Access to the data storage service by a customer, anotherservice, or other entity may be through appropriately configured APIcalls.

An archival storage system may operate differently than an on-demanddata storage service. For instance, an archival storage system may beconfigured to store data in a manner that reduces the costs of storageat the expense of performance in connection with data access. As oneillustrative example, the archival storage system may be configured toperform data operations (i.e., store and retrieve data) asynchronouslyto take advantage of cost savings afforded by batch processing andparallelism. For instance, a client of the archival storage system mayreceive requests to access data objects stored in the archival storagesystem, aggregate the requests, process the requests in batches and makethe requested data available for retrieval using additional requests.Due to the asynchronous processing, the archival storage system mayrequire another request to retrieve a data object once the data objecthas been made ready for retrieval, such as by reading the data objectfrom one or more archival data storage devices and writing the data toone or more staging data storage devices from which the data object isavailable.

The on-demand storage system, on the other hand, may be configured toprovide better performance with respect to data access. For example, theon-demand storage system may be configured to synchronously processrequests to store and/or access data. To enable better performancerelative to the archival storage system, the on-demand storage systemmay operate using additional computing resources (e.g., databases) thatenable the on-demand storage system to locate and retrieve data quicklyrelative to the archival storage system. The on-demand storage systemmay provide synchronous data access. For example, the on-demand storagesystem may maintain stored data in a manner such that, when a requestfor a data object is retrieved, the data object can be provided (orstreaming of the data object can be initiated) in a response to therequest.

In the environment illustrated in FIG. 2, a notification service 216 isincluded. The notification service 216 may comprise a collection ofcomputing resources collectively configured to provide a web service orother interface and browser-based management console that can be used tocreate topics customers want to notify applications (or people) about,subscribe clients to these topics, publish messages, and have thesemessages delivered over clients' protocol of choice (i.e., HTTP, email,SMS, etc.). The notification service may provide notifications toclients using a “push” mechanism without the need to periodically checkor “poll” for new information and updates. The notification service maybe used for various purposes such as monitoring applications executingin the virtual computer system service, workflow systems, time-sensitiveinformation updates, mobile applications, and many others.

The computing resource service provider 202 may additionally maintainone or more other services 218 based on the needs of its customers 204.For instance, the computing resource service provider 202 may maintain adatabase service for its customers 204. A database service may be acollection of computing resources that collectively operate to run oneor more databases for one or more customers 204. Customers 204 of thecomputing resource service provider 202 may operate and manage adatabase from the database service by utilizing appropriately configuredAPI calls. This, in turn, may allow a customer 204 to maintain andpotentially scale the operations in the database. Other servicesinclude, but are not limited to, object-level archival data storageservices, services that manage and/or monitor other services and/orother services.

As illustrated in FIG. 2, the computing resource service provider 202,in various embodiments, includes an authentication system 220 and apolicy management service 222. The authentication system, in anembodiment, is a computer system (i.e., collection of computingresources) configured to perform operations involved in authenticationof users of the customer. For instance, one of the services may provideinformation from the users to the authentication service to receiveinformation in return that indicates whether or not the user requestsare authentic. Determining whether user requests are authentic may beperformed in any suitable manner and the manner in which authenticationis performed may vary among the various embodiments. For example, insome embodiments, users electronically sign messages (i.e., computersystems operated by the users electronically sign messages) that aretransmitted to a service. Electronic signatures may be generated usingsecret information (e.g., a private key of a key pair associated with auser) that is available to both an authenticating entity (e.g., user)and the authentication system. The request and signatures for therequest may be provided to the authentication system which may, usingthe secret information, compute a reference signature for comparisonwith the received signature to determine whether the request isauthentic.

If the request is authentic, the authentication service may provideinformation to the service that the service can use to determine whetherto fulfill a pending request and/or to perform other actions, such asprove to other services, such as the cryptography service, that therequest is authentic, thereby enabling the other services to operateaccordingly. For example, the authentication service may provide a tokenthat another service can analyze to verify the authenticity of therequest. Electronic signatures and/or tokens may have validity that islimited in various ways. For example, electronic signatures and/ortokens may be valid for certain amounts of time. In one example,electronic signatures and/or tokens are generated based at least in parton a function (e.g., a Hash-based Message Authentication Code) thattakes as input a timestamp, which is included with the electronicsignatures and/or tokens for verification. An entity verifying asubmitted electronic signature and/or token may check that a receivedtimestamp is sufficiently current (e.g., within a predetermined amountof time from a current time) and generate a reference signature/tokenusing for the received timestamp. If the timestamp used to generate thesubmitted electronic signature/token is not sufficiently current and/orthe submitted signature/token and reference signature/token do notmatch, authentication may fail. In this manner, if an electronicsignature is compromised, it would only be valid for a short amount oftime, thereby limiting potential harm caused by the compromise. Itshould be noted that other ways of verifying authenticity are alsoconsidered as being within the scope of the present disclosure.

The policy management service 222, in an embodiment, is a computersystem configured to manage policies on behalf of customers of thecomputing resource service provider. The policy management service 222may include an interface that enables customers to submit requestsrelated to the management of policy. Such requests may, for instance, berequests to add, delete, change or otherwise modify policy for thecustomer or for other administrative actions, such as providing aninventory of existing policies and the like. The policy managementservice 222 may also interface with other services to enable theservices to determine whether the fulfillment of a pending request isallowable according to policy corresponding to the customer for whichthe request was made. For example, when a service receives a request,the service (if it has not locally cached such information) may transmitinformation about the request (and/or the request itself) to the policymanagement system which may analyze policies for the customer todetermine whether existing policy of the customer allows fulfillment ofthe request and provide information to the service according to thedetermination.

FIG. 3 shows an illustrative example of an environment 300 in whichvarious embodiments may be practiced. As illustrated in FIG. 3, theenvironment 300 includes three zones, a customer premise 302, a virtualzone 304, and a backing zone 306. Referring to FIG. 1, the customerpremises 302 may include facilities operated by and/or on behalf of thecustomer 104 described above. Similarly, the virtual zone 304 maycorrespond to facilities operated by a computing resource serviceprovider in a jurisdiction (e.g., political (legal) jurisdiction)different than to which the backing zone 306 corresponds. In otherwords, the customer premises 302 may correspond to the customer 104, thevirtual zone 304 may correspond to the virtual service 102, and thebacking zone 306 may correspond to the backing service 106. As notedabove however, the zones do not necessarily correspond to differinggeopolitical boundaries, but may correspond to other types ofadministrative control. For example, the customer premises 302 maycorrespond to a network of computing resources under administrativecontrol of a customer 308, which may be the customer 104 described abovein connection with FIG. 1. Similarly, the virtual zone 304 maycorrespond to a network of computing resources under the administrativecontrol of a computing resource service provider 304.

The backing zone 306 may correspond to a network of computing resourcesunder the administrative control of the computing resource serviceprovider or another computing resource service provider. The virtualzone 304 may be implemented in a variety of ways and, generally, asdiscussed below, the virtual zone 304 is implemented to operate suchthat, from the perspective of a customer, the virtual zone 304 operatesas if it is a fully facilitated backing zone that is independentlycapable of processing requests without use of the backing zone 306. Inother words, despite use of the backing zone 306, the virtual zone 304is able to receive and cause the processing of requests as if therequests were submitted directly to the backing zone (except for certainmanipulations of data, such as encryption that would not otherwise occurif the request were submitted directly to the backing zone 306). Forexample, as noted above, in some instances the virtual zone 304 may beimplemented as an internet PoP in a particular political jurisdiction.The backing zone 306 may correspond to one or more data centerfacilities having infrastructure capable of providing one or morecomputing resource services such as described above in connection withFIG. 2.

Turning to the virtual zone 304, as noted above, the virtual zone 304may include a storage service proxy 310 and a cryptography service 312.As described in more detail below, the storage service proxy 310 mayprovide a service interface to which the customer 308 can submitrequests. The service interface may be accessible at one or more publicnetwork addresses, such as one or more public IP addresses. The storageservice proxy 310 may utilize the cryptography service 312 to ensuresure that data sent to a storage service 314 of the backing zone 306 isencrypted. The storage service 314 may also provide its own storageinterface which may be directly accessible by the customer 308 and/orother customers. The backing zone 306 may also include an authenticationservice 316. The authentication service 316 may be a collection ofcomputing resources such as described above that serve to enable thestorage service proxy 310, cryptograph service 312, and storage service314 to determine whether to fulfill requests submitted by the customer308 or by another component of the environment 300.

It should be noted that the storage service proxy 310 and the storageservice 314 may correspond to a data storage service of one or morecomputing resource service providers. For example, the storage service314 may be an on-demand storage service, an archival data storageservice, a block level data storage service, a database service such asa relational data base service, a noSQL database storage service, or adata warehouse data storage service. Generally any service that operatesto store data on behalf of one or more customers may be utilized in theenvironment 300. It should also be noted that while storage services areused for the purpose of illustration, the virtual zone 304 and backingzone 306 may include computing resources for other types of servicessuch as virtual computer system services, computing resource managementservice, and/or generally any computing resource service that may beprovided by a computing resource provider and which may involve accessto customer or other sensitive data. Accordingly, the backing zone 306may include facilities to implement such a service and the virtual zone304 may include a corresponding service interface that operates as anAPI proxy for that service. In addition, the virtual zone 304 may alsoinclude multiple different services, each with a corresponding serviceproxy in the virtual zone 304. As noted above, a virtual zone may beprovided in various ways and the ways in which a virtual zone may beprovided are not limited to that which is illustrated in FIG. 1 anddescribed above.

FIG. 4 accordingly shows an illustrative example of an environment 400in which various embodiments may be practiced. For example, asillustrated in FIG. 4, the environment 400 includes customer premises402, a virtual zone 404, and a backing zone 406 such as described abovein connection with the FIG. 3. For example, the customer premises 402may include one or more facilities with computing resources of acustomer 408 or that is utilized on behalf of the customer 408. Asillustrated in FIG. 4, the virtual zone 404 may be a zone located on thecustomer premises 402. For example, a computing device of a network ofthe customer premises 402 may provide a web service interface to whichrequests may be submitted. In some embodiments, the web serviceinterface is accessible at one or more private network addresses, suchas one or more private IP addresses. Customer computing devices or, insome embodiments, any computing devices may submit requests to theinterface for the virtual zone 404 in order to have the requestsprocessed which may include use of facilities of the backing zone 406.

As illustrated in FIG. 4, the virtual zone 404, as described above inconnection with FIG. 3 includes a storage service proxy 410 and acryptography service. As noted above, the storage service proxy 410 mayinclude a storage service interface serving as an API proxy for astorage service 414 located in the backing zone 406. As with the storageservice proxy 410, requests may be submitted by the customer 408 to thestorage service proxy 410 and fulfillment of their requests may utilizethe storage service 414. The cryptography service 412 may be utilized bythe storage service proxy 410 to ensure that data transmitted to thestorage service 414 by the storage service proxy 410 is encrypted whenappropriate in accordance with the various embodiments. Similarly, anauthentication service 416 in the backing zone 406 may be utilized bythe storage service proxy cryptography service 412 and storage service414 to enable determinations of whether requests are authenticallysubmitted and therefore fulfillable, if otherwise fulfillable (e.g.,where fulfillment would be in accordance any applicable policy.

It should be noted that as with all environments described here invariations are considered as being within the scope of the presentdisclosure. For example, FIG. 4 shows a cryptography service 412 insideof the virtual zone 404. The cryptography service may be operated, forexample, as a hardware security module (HSM) or other computing devicethat manages cryptographic keys on behalf of the customer 408. It shouldbe noted, however, the cryptography service may be located in otherzones such as the backing zone 406 or another virtual zone which is notillustrated in the figure. For instance, the cryptography service may bein a virtual zone such as described above in connection with FIG. 3.Generally, the cryptography service may be a service exclusivelydedicated to the customer 408 or may be a multitenant service thatmanages cryptographic keys on behalf of multiple customers of acomputing resource service provider as appropriate. It should be alsonoted that FIG. 4 shows a customer premises having a single virtual zone404, however, a customer premise may include multiple virtual zoneswhich may be utilized for various purposes. For example, the customer408 may be an organization and different virtual zones may be used bydifferent administrative entities within the organization. In thismanner, data mingling and other issues which may be of concern to thecustomer 408 may be managed through the use of multiple virtual zones.Similarly, while a storage service 414 and a storage service proxy 410are utilized for the purpose of illustration, one or more virtual zonesof the customer premises 402 may include multiple service proxies tomultiple corresponding services. Generally, the techniques described andsuggested herein may be used to enable use of multiple services eachwith a corresponding proxy.

Further, as noted above, various service proxies may be accessible viapublic network addresses, such as IP addresses. In some embodiments, aservice proxy has a corresponding uniform resource locator (URL) that isdifferent than a URL used for the corresponding backing service. Forinstance, in the example of a proxy and service being in differentgeographic jurisdictions, a proxy may have a URL in the form ofstorageservice<dot>country1<dot>serviceprovider<dot>com while thebacking service may have a URL of the formstorageservice<dot>country2<dot>serviceprovider<dot>com, where <dot>represents the character in the brackets used for delimiting domains andsub-domains. In other examples, the proxy and the storage service mayhave the same URL but different public IP addresses. Distributed DNSservers may be configured to resolve the URL to an IP address for theproxy or backing service that is geographically closest. As yet anotherexample of a variation considered as being within the scope of thepresent disclosure, a backing service may be configured to rerouterequests through the proxy so that the backing service receives data inencrypted form, where appropriate. Other variations are also consideredas being within the scope of the present disclosure.

FIG. 5 shows an illustrative example of a cryptography service which maybe used to implement various embodiments of the present disclosure. Thecryptography service 500 illustrated in FIG. 5 may be used, for example,as the cryptography service described above in connection with FIGS. 2,3 and 4. In an embodiment the cryptography service 500 includes varioussubsystems which enable the cryptography service 500 to performcryptographic operations using cryptographic keys securely managed bythe cryptography service 500. For example, as illustrated in FIG. 5 thecryptography service 500 includes a request processing subsystem 502.The request processing subsystem 502 may include one or more web serversand one or more application servers that collectively operate to receiveand process requests submitted to the request processing subsystem 502.

In an embodiment the request processing subsystem 502 includes one ormore web servers that provide a web service interface to thecryptography service 500 such that web service calls (from a customer orother service) may be made to the request processing subsystem 502 viathe web service interface in order to cause the performance of variouscryptographic operations. As noted above the cryptography service 500may securely manage cryptographic keys. Accordingly, various componentsof the cryptography service 500 may enable such secure management. In anembodiment the cryptography service 500 includes a plurality ofcryptographic modules 504 and customer key storage 506. Eachcryptographic module 504 may be a subsystem of the cryptography service500 that securely manages cryptographic keys which may be referred to asdomain keys. In an embodiment the cryptographic modules 504 each store aset of one or more domain keys that is common to all of thecryptographic modules 504. In other words each of the cryptographicmodules 504 may store one of more of the same domain keys. Storage ofthe domain keys may be performed so that the domain keys never leave thecryptographic modules 504 and generally are inaccessible to anysubsystems of the cryptography service 500 or other systems.

In an embodiment, for example, the cryptographic modules are securitymodules, which may be hardware security modules (HSMs). The hardwaresecurity modules may be configured with computing resources such asprocessors and memory storing executable instructions that enable thecryptographic modules to perform cryptographic operations. Thecryptographic modules may be configured to be tamper-proof such that ifintrusion into the interior of the cryptographic modules 504 isdetected, domain keys stored within the cryptographic module may beerased, thereby preventing access to the domain keys by way of physicalintrusion into a cryptographic module 504. As noted above, in anembodiment the cryptography service 500 includes a repository forcustomer keys, which is illustrated in FIG. 5 as the customer keystorage 506. In alternate embodiments, however, one or more securitymodules store the customer keys without the use of external customer keystorage 506. In such embodiments, the customer keys may be accessed frommemory and there may not be a need to decrypt using a domain key.

Returning to the embodiment illustrated, each customer key correspondsto a corresponding customer of the cryptography service 500, where onecustomer may have multiple corresponding customer keys but where keysare not shared among customers. As such the cryptography service 500 maystore customer keys in the customer key storage 506 for multiplecustomers. Similarly, the cryptography service 500 may perform variouscryptographic operations through the cryptographic modules 504 formultiple customers. As illustrated in FIG. 5, customer keys stored inthe customer key storage 506 are encrypted under a domain key stored bythe cryptographic modules 504. It should be noted that the bracketsaround the customer key with the domain key annotating the right-handbrackets is provided as notation indicating encryption of the customerkey under the domain key. In this manner customer keys stored in thecustomer key storage 506 are stored in a manner that requires access toa domain key in order to access the customer key. Thus access to data inthe customer key storage 506 does not by itself provide access to dataencrypted under a customer key. Therefore, customer keys for multiplecustomers may be stored external to the cryptographic modules 504,therefore providing scalability without requiring the security modules504 to store all keys which they may use to perform cryptographicoperations.

The cryptographic modules may be configured to, upon a request toperform cryptographic operation, using a specified customer key, accessthe encrypted specified customer key from the customer key store 506,use a domain key to decrypt the customer key and use the decryptedcustomer key to perform the cryptographic operations as discussed inmore detail below. It should be noted that while the customer keystorage 506 is illustrated as being within the cryptography service 500,the customer key storage may be located in another system such as a datastorage service which may be in the same or in a different zone than thecryptography service 500.

FIG. 6 is an illustrated example of a process 600 which may be performedto encrypt a data key used to encrypt data. The process 600 may beperformed by any suitable system such as by the cryptography service 500discussed above in connection with FIG. 5. In an embodiment the process600 includes receiving 602 a request for a data key. The request 602 maybe in the form of an appropriately configured API call such as a webservice call with various parameters that enable the system performingthe process 600 to select a customer key to be used as described in moredetail below to provide a data key. For example, the API call mayinclude a parameter having a value that specifies an identifier for acustomer key. It should be noted that the customer key may be implicitlydetermined. For instance, the request coming from a particular customermay enable the cryptography service to associate the customer key withthe customer and determine which customer key to use. In an embodimentthe process 600 includes determining 604 whether the request isauthentic.

Determination 604 whether the request is authentic may be performed inany suitable manner. For example, in some embodiments the request may beelectronically (digitally) signed in a manner that is verifiable by thesystem performing the process 600 or another system in which the systemperforming the process 600 communicates. Referring to FIG. 3 the requestmay be signed using a secret key shared between the customer 308 and theauthentication service 316. The cryptography service, if performing theprocess 600, may provide the request and the signature for the requestto the authentication service 316 which may generate a referencesignature based on the request and its own copy of the secret key todetermine whether the digital signature that was received with therequest matches. If the signature generated by the authenticationservice matches, the authentication service 316 may provide acommunication to the cryptography service 312 that the request isauthentic, thereby enabling the cryptography service 312 to determinethat the request should be fulfilled. A similar process may be performedin connection with FIG. 4.

It should be noted that while not illustrated in the figure, additionaldeterminations regarding whether the request should be processed may bemade. For example, process 600 may include determining whether policyallows the request to be fulfilled. The request may be a policy on a keyto be used on one of more principals such as a user that submitted therequest or otherwise. Such additional operations may also be performedas part of other processes, including those described below. If it isdetermined 606 that the request is authentic, the process 600 mayinclude generating 606 a data key. A data key may be a cryptographic keyto be used to encrypt data, such as data of a request to store the datain a storage service. The data key may be randomly, pseudo-randomly orotherwise generated. In addition, while the process 600 illustratesgeneration 606 of the data key, a data key may be pre-generated andaccessed from memory.

In an embodiment, the process 600 includes accessing 608 an encryptedcustomer key. Referring to FIG. 5, for example, a cryptographic module504 of the cryptography service 500 may submit a request to the customerkey storage 506 for the encrypted customer key, which may be encryptedunder a domain key. The request to the customer key storage 506 mayinclude an identifier of the customer key to be obtained. Once theencrypted customer key has been accessed 608 the process 600 may includeusing 610 the domain key to decrypt the customer key. The decryptedcustomer key may then be used 612 to encrypt the data key. The data keyand the encrypted data key may then be provided 614 in response to therequest, thereby enabling the requester to utilize the data key for theencrypted of data as discussed in more detail below.

Returning to the determination 604 whether the request is authentic, ifit is determined 604 that the request is not authentic, such as if anauthentication service indicates that the request is not authentic, theprocess 600 may include denying 616 the request. Denying 616 the requestmay be performed in various ways in accordance with various embodiments.Denying the request may be performed, for example, by responding therequest with an indication that the request was denied and/or one ofmore reasons for the denial. Denying the request may also include simplyinaction such as not responding to the request. Generally any suitableway in which a request may be denied may be used. It should be notedthat FIG. 6 and generally all processes described herein show aparticular order or operations, although the scope of the presentdisclosure is not necessarily limited to the order or operationsperformed therein. For example, FIG. 6 shows generating 606 a data keyoccurring before access 608 of an encrypted customer key. Further,operations may be performed in a different order or in parallel.Similarly, using 601 the domain key to decrypt a customer key may beperformed before generation 606 of the data key or otherwise obtainingthe data key. Other variations are also considered as being within thescope of the present disclosure.

FIG. 7 shows an illustrative example of a process 700 which may be usedto decrypt a data key, such as a data key that was used to decrypt dataand persisted in encrypted form for later retrieval of the data. Thedata key may be encrypted in any suitable manner, such as by performanceof the process 600 discussed above in connection with FIG. 6. Further,the process 700 may be performed by any suitable system such as the samesystem that performed the process 600 discussed above in connection withFIG. 6 or another system. In an embodiment the process 700 includesreceiving 702 a request to decrypt a data key. The request may be anappropriately configured API call such as described above. The requestmay originate, for example, from a service proxy such as describedabove. A determination may be made 704 whether the request is authentic,such as by communicating with an authentication service that analyzes anelectronic signature and provides an indication whether the signature isauthentic. Further, as discussed above in connection with FIG. 6, otheroperations may be performed in determining whether to fulfill a request,such as operations in connection with policy enforcement.

Returning to the embodiment illustrated in the figure, if it isdetermined 704 that the request is authentic, the process 700 mayinclude accessing 706 an encrypted customer key such as described above.The access customer key may then be used 710 to decrypt the data key.The data key may then be provided 712 in response to the request. Inthis manner a computer system that submitted the request may use thedecrypted data key to perform one of more cryptographic operations suchas decryption of data that was encrypted under the data key. Returningto the determination 704 whether the request is authentic, the process700 may include denying 714 the request if determined 704 that therequest is not authentic or otherwise upon determining that the requestshould not be fulfilled.

FIG. 8 shows an illustrative example of a process 800 which may be usedto store data in a data storage service. The process 800 may beperformed by any suitable system such as a service proxy describedabove. In an embodiment the process 800 includes receiving 802 a requestto store data. The request may be in the form of an appropriatelyconfigured API call such as a web service call that includes values forparameters that enable the request to be fulfilled and that enabledetermination of whether the request should be fulfilled. The requestmay originate from any suitable computer system such as a customercomputer system such as described above. Upon receipt 802 of therequest, a determination may be made 804 whether the request isauthentic. The determination 804 whether the request is authentic may bemade in any suitable way such as described above in connection with theprocesses 600 and 700 described in connection with FIGS. 6 and 7,respectively. For example, a service proxy may communicate with anauthentication service in order to receive a decision from theauthentication service whether the request is authentic. As with theprocesses described above, additional operations such as checks whetherfulfillment of the request is in compliance with policy may also beperformed.

If it is determined 804 that the request is authentic and/or generallythat the request should be fulfilled, the process 800 may includerequesting 806 a data key from a local cryptography service. The localcryptography service may be a cryptography service such as describedabove that is in the same zone as the system performing the process 800.For instance, referring to FIG. 3, the cryptography service may be thecryptography service 312. Referring to FIG. 4, the cryptography servicemay be the cryptography service 412. It should be noted that, as withall processes described herein, variations are considered as beingwithin the scope of the present disclosure and the cryptography serviceis not necessarily a local cryptography service but it may be acryptography service that is in a zone that is different from a zone inwhich a data storage service in which the data is to be ultimatelystored is located. In this manner the cryptography service is notnecessarily local but in a zone that is different from the zone wherethe data will be stored. Further the keys required for accessing thedata are stored in a different zone than the encrypted data itself.

As illustrated in FIG. 8 a response to the request for the data key fromthe local cryptography service may be provided, and an encrypted datakey may be received 808 from the cryptography service. The data key maybe encrypted by a customer key, which may have been implicitlydetermined by the cryptography service or which may have been specifiedin the request to the local cryptography service. The received data keymay then be used 810 to encrypt the data. Once the data has beenencrypted 810 the process 800 may include generating 812 a data objectthat comprises the encrypted data and the encrypted data key. The dataobject that was generated 812 may be transmitted 814 to a backingstorage service in another zone. Referring to FIG. 3, for example, thestorage service proxy 310 may transmit the data object to the storageservice 314 via an appropriately configured API call such as a webservice call to the storage service 314. Referring to FIG. 4, thestorage service proxy 410 may transmit the data object to the storageservice 414 via an appropriately configured API call.

Once the data key is no longer needed by the system performing theprocess 800, the process 800 may include destroying the unencrypted datakey. Destroying 816 the unencrypted data key may be performed in anysuitable manner and generally in any manner in which access to the datakey is lost by the system performing the process 800. As one example,the data key in unencrypted form may be managed by the system performingthe process 800 such that the data key is only stored in volatile memorysuch as random access memory (RAM) or a central processing unit (CPU)register. In this manner, when power is cut to the volatile memory, theaccess to the stored unencrypted data key is lost, or if power is nevercut the memory locations in which the data key is stored will eventuallybe overwritten as the system performing the process 800 continues tooperate such as by performing the process 800 additional times as futurerequests are received. As another example, the data key may be destroyedby overriding any memory locations in which the data key is stored,whether volatile or non-volatile memory with other data, which may be asequence of 0 bits, a sequence of 1 bits, a sequence of random bits, ora sequence of bits that does not contain sensitive information.Generally, any manner of causing a loss of access to the data key may beused. In addition, as noted above, destruction 818 of the unencrypteddata key may be performed synchronously in performance of the process800 and not necessarily as an operation in the order illustrated in FIG.8, or may be performed asynchronously, such as part of a process thatoperates to eventually destroy data keys or allow data keys to beoverwritten with other data.

Returning to the determination 804 whether the request is authentic, ifit is determined 804 that the request is not authentic or otherwise thatthe request should not be fulfilled, the process 800 may include denying818 the request such as described above. As with all processes discussedherein, variations are considered as being within the scope of thepresent disclosure. For example, as illustrated in FIG. 8, a request fora data key is submitted to a cryptography service that generates orotherwise obtains a data key and provides in response the data key inplaintext and cypher text form. As an alternative a system performingthe process 800 may generate or obtain a data key itself and provide thedata key to the cryptography service for encryption. The cryptographyservice may then provide the encrypted data key back and not necessarilyprovide the data key back since the system performing the process 800may already have access to the data key. Also as noted above, therequest to store data that is received 802 is described as beingreceived from a customer computing system such as described above. Invarious embodiments, the request does not necessarily originate from acustomer computer system but may originate from another computer systemdespite the data ultimately being stored as a service for the customer.

In addition, as another example of a variation, a request to store datamay not be received externally from another system. Performance of theprocess 800 may, for example, include generation of the data, and upongeneration of the data and performing operations that result in the databeing encrypted and transmitted to a data storage service such asdescribed above. Further, the process 800, as illustrated in FIG. 8,includes generation 812 of a data object that comprises and encrypteddata and the encrypted data key. As an example, the encrypted data andencrypted data key may be concatenated together to form the data object.In this manner the encrypted data key and the encrypted data object arepersisted together for later access such as described below. However, invarious embodiments, the encrypted data key and encrypted data are notnecessarily persisted together but may be persisted in different logicaldata containers of a data storage service in different storage servicesor in other ways. For instance, the encrypted data key may be storedlocally while the encrypted data is transmitted to a storage service inaccordance with techniques described above. Metadata maintained maypersist an association between the encrypted data key and the dataencrypted under the key. Other variations are also considered as beingwithin the scope of the present disclosure.

FIG. 9 illustrates an illustrative example of a process 900 which may beperformed to retrieve data from a data storage service where the datamay have been stored by the data storage service in accordance with theprocess 800 described above in connection with FIG. 8. The process 900may be performed by any suitable system such as by the system thatperformed the process 800 discussed above in connection with FIG. 8 orby another system, such as another system in a zone that is differentfrom the zone in which the data storage service is located. Asillustrated in FIG. 9, the process 900 includes receiving 902 a requestto retrieve data, where the request to retrieve data may be in the formof an appropriately configured API call such as described above. Adetermination may be made 904 whether the request is authentic, such asdescribed above, and if determined 904 that the request is authentic,the process 900 may include obtaining 906 encrypted data and anencrypted data key from a backend storage service. For example,referring to FIG. 3, the storage service proxy 310 may submit a requestto the storage service 314 to retrieve a data object that comprises theencrypted data key in the encrypted data. The storage service 314 mayprovide the data object that comprises the encrypted data and theencrypted data key in response. Referring to FIG. 4, for example, thestorage service proxy 410 may submit a request to the storage service414 for a data object that comprises the encrypted data and theencrypted data key, and the storage service 414 may provide, inresponse, the data object that comprises the encrypted data andencrypted data key. As noted above, however, the encrypted data andencrypted data key are not necessarily persisted together andperformance of the process 900 may include obtaining the encrypted andincluding the encrypted data key in various ways and in accordance withvarious embodiments, such as by retrieving the encrypted data from asystem that stores the encrypted data and retrieving the encrypted datakey from another system that stores the encrypted data key.

Once the encrypted data and encrypted data key have been obtained 906,the process 900 may include requesting 908 decryption of the data keyfrom a cryptography service which may be a local cryptography servicesuch as described above or any suitable cryptography service such as acryptography service in a zone that is different from a zone the datastorage service is located. In response to the request 908 fordecryption of the data key from the cryptography service, the decrypteddata key may be received 910 from the cryptography service to which therequest was submitted. The decrypted data key may then be used todecrypt the encrypted data, and the decrypted data may then be provided914 in response to the request to retrieve the data. Returning to thedetermination 904 whether the request is authentic, if it is determined904 that the request is not authentic or otherwise that the requestshould not be fulfilled, the process 900 may include denying 916 therequest. In addition, while not illustrated in the figure, the process900 may include destroying the unencrypted data key such as describedabove. The unencrypted data key may be destroyed, for example, ininstances where the data is to remain stored by a storage service inencrypted form and therefore in a manner such that unauthorized accessto the data key could be problematic.

As noted above, the types of services which may utilize the varioustechniques described herein may vary in accordance with the variousembodiments. In some examples, for instance, a service proxy for adatabase service may be located in one zone where the service proxyservices as an API proxy to a database service in another zone.Referring to FIG. 3, for example, the storage service proxy 310 may be aservice proxy for a database service which may be the storage service314. Similarly referring to FIG. 4, the storage service 414 may be adatabase service to which the storage service proxy 410 acts as an APIproxy. As noted above, some, but not all, data sent from a service proxyto a backing service may be encrypted. FIG. 10 accordingly shows anillustrative example of data which may be stored by a database service.In particular, FIG. 10 shows an illustrative diagram of data organizedinto a relational table 1002 stored by a virtual data base service whichmay be, for instance, a service proxy such as described above. Asillustrated in FIG. 10, the data base table 1002 comprises various datawhich may be, for instance, data about sales transactions, although thescope of the present disclosure is not limited to the specific types ofdata mentioned herein. In this particular example, each column of thetable 1002 corresponds to a different type of information. The firstcolumn shown, for instance, may correspond to first names, the secondcolumn may correspond to last names, the third illustrated column maycorrespond to transaction amounts, and the last column may correspond todates on which the corresponding transaction occurred. A row in thetable 1002 may, for instance, identify the person who made atransaction, the transaction, and the date on which the transactionoccurred. As indicated by the ellipses, other information may beincluded as well, such as an identifier for an item purchased, a paymentmethod (credit card, e.g.) and other types of data. Some of the data inthe table 1002 may be considered sensitive. For instance, the first andlast name which may be names of customers may be considered sensitivedata and may be subject to various privacy laws, rules, regulations, orgeneral preferences. Some of the data may not be considered sensitivesuch as the amounts of the transactions and the dates of which theyoccurred.

Accordingly, performance of the various techniques described above mayinclude encrypting some, but not all, of the data in the table 1002before it is sent to a backing database service. FIG. 10 shows anillustrative example of a table 1004 illustrating how the same data maybe organized at the backing database service. In particular, asindicated by the arrow transitioning between the virtual databaseservice and the backing database service, data in the table 1002transformed, resulting in the table 1004 where the first two columnscorresponding to first and last names respectively, and possibly othercolumns, are encrypted. The values in the tables corresponding to theamounts, however, are left unencrypted. In this manner, as discussed inmore detail below, the backing database service may be able to provideat least some functionality with respect to the unencrypted data, suchas by processing queries using the unencrypted data. While the encryptedcolumns of the relational database table are consecutive, the columnsthat are encrypted are not necessarily consecutive. Further, while FIG.10 shows illustrative examples of a relational database table, the scopeof the present disclosure is not limited to relational databases andrelated organizations of data sets, but also extends to other types ofdatabases and generally any types of data storage services that storedata in a structured manner. Generally, any type of database that isable to process queries may be used in accordance with the variousembodiments.

When a database of a computing resource provider stores some but not alldata that is encrypted, such as in accordance with the techniquesdescribed above, processing of database queries may occur acrossdifferent zones. In other words, some processing may occur in one zoneand other processing may occur in other zones. FIG. 11 accordingly showsan illustrative example of a process 1100 which may be used to process adatabase query. The process 1100 may be performed by any suitable systemsuch as by a service proxy described above. For example, a service proxymay perform the process 1100 in order to process queries that itreceives despite the actual data being stored by a backing service inanother zone. In an embodiment, the process 1100 includes receiving 1102a query for a database. The query may be received encoded in anappropriately configured API call to the system performing the process1100. The query may then be parsed 1104 or otherwise analyzed in orderto generate a sensitive query and a non-sensitive query, where thesensitive query and the non-sensitive query are configured such thatsequential execution of the non-sensitive query then the sensitivequery, with some intermediate data modification on a result of thenon-sensitive query as described in more detail below, provides the sameresult as executing the query.

Parsing the query may be performed in any suitable manner. For example,in some embodiments, columns of a database table are tagged in a mannerindicating whether the columns contain sensitive data. Referring to FIG.10, for example, the first two columns illustrated may be tagged assensitive where as other columns may be tagged as non-sensitive wheretagging as sensitive or non-sensitive may be implicit by the absence ofa tag. The tags may enable a storage proxy to determine which data toencrypt before transmitting data to a backing service. The service proxymay, for instance, be configured to receive data through its APIinterface, identify which columns in a database the data affects,determine which, if any, columns are tagged as sensitive, and encryptthe data for the identified columns before transmitting to the backingservice. Parsing the query may be performed by identifying portions ofthe query that require a search of columns tagged as sensitive, orgenerally a search of data tagged as sensitive. Similarly, parsing thequery may be performed by identifying of the query requiring a search ofdata tagged as non-sensitive. Turning to the illustrative example ofFIG. 10, for instance, a query may be configured to identify data in arelational database that satisfies one or more conditions on a last nameas well as one or more conditions on a transaction amount. As notedabove, a column for last names may be tagged as sensitive whereas acolumn of transactions amounts may be tagged as non-sensitive. In thismanner, parsing such a query may be performed by extracting from thequery a sub-query for identifying data that satisfies the one or moreconditions on the transaction amount. Some of the data identified maynot satisfy the one or more conditions on the last name. In this mannera sub-query configured to identify data that satisfies the one or moreconditions on the last name may be identified as the sensitive query.

Returning to FIG. 11, the non-sensitive query may be forwarded 1106 to abacking database service such as in the form of an appropriatelyconfigured API call to the backing database service. The backingdatabase service may receive the non-sensitive query and process thenon-sensitive query on a database the backing database servicesmaintains on behalf of a customer for which the query was received 1102.The backing database service may then generate a preliminary responseand provide that generated preliminary response which, as noted above,may be over-inclusive as it may include data that does not satisfy thesensitive query that was generated 1104. Accordingly, the process 1100includes receiving 1108 the preliminary response from the backingdatabase service. The preliminary response may be received, for example,as a response to the API call that was made to the backing databaseservice.

Once the preliminary response was received 1108 from the backingdatabase service, the process 1100 may include obtaining 1110 anencrypted data key. Obtaining 1110 the encrypted data key may beperformed in any suitable manner. For example, the encrypted data keymay be included with the preliminary response. And as another example,the encrypted data key may be locally stored in another storage servicewhich may be in the same or in a different zone as the zone in which thesystem performing the process 1100 is located. Once the encrypted datakey has been obtained 1110 the process 1100 may include requesting 1112decryption of the data key from a cryptography service such as describedabove. The decrypted data key may be, therefore, received 1114 from thecryptography service and the data key may be used 1116 to decrypt 1116encrypted portions of the preliminary result that was received from thebacking database service.

It should be noted that encryption, and therefore decryption, may beperformed in various ways in accordance with the various embodiments.For example, each entry in a database table that is encrypted may beencrypted separately. In this manner, the data that is returned in thepreliminary result is decryptable regardless of whether the preliminaryresult includes all the data that was encrypted. Further, as noted, asingle data key may be used to decrypt all the data that is encrypted inthe preliminary result. Accordingly, depending on a cryptographic cypherthat is used, each entry in the database that is encrypted may beencrypted using a different initialization vector (nonce). Numerousvariations are considered as being within the scope of the presentdisclosure, such as encrypting each entry with a different data key,encrypting each column with a different data key, and generallyperforming encryption in various ways.

Returning to FIG. 11, once the data key has been used 1116 to decryptthe encrypted portions of the preliminary result, the process 1100 mayinclude executing 1118 the sensitive query on the decrypted preliminaryresult to obtain a query result. The query result may then be provided1120 in response to the query that was received 1102. In this manner,various technical advantages are achieved. For example, as noted above,a service proxy, which also may be referred to as a virtual databaseservice, may include limited infrastructure. A database service, on theother hand, may include much greater infrastructure in order to handlelarge amounts of data. The virtual database service may, for example,lack the infrastructure that would enable the virtual database serviceto handle the amounts of data that the backing database service handles.In this manner, the vast infrastructure of the backing database servicemay be used to perform the initial processing of the non-sensitive queryin a zone where some of the data is encrypted for various reasonsdiscussed above. The much more limited infrastructure of the virtualdatabase service may be used to finish processing of the query. In thismanner, despite the presence of data considered sensitive, theinfrastructure of the database service is able to be utilized.

In addition, while FIG. 11 shows a process where a query is received toa service proxy and the service proxy generates two queries, one for thebacking service to execute and the other for the service proxy toexecute, the process 1100 may be adapted to operate in different ways.For instance, in some embodiments, the complete query may be forwardedto the backing service which may itself generate two queries and pass atleast one to the service proxy with the preliminary result. As anotherexample, the backing service may process the complete query whileignoring any conditions involving subsets of data tagged as sensitive(or ignoring particular conditions, e.g. conditions required to besatisfied). The proxy may also process the whole query on thepreliminary result. Other variations, including adaptations for othertypes of databases, may be used.

As noted above, various embodiments of the present disclosure mayutilize numerous zones, numerous service proxies, and numerous backingzones. In some instances, a service proxy may selectively provide datato different backing zones. For example, a storage service may havedifferent advantages in different zones. A data storage service in onezone, for example, may be cheaper than the same or a similar datastorage service in another zone. As another example, a data storageservice in one zone may be better for latency reasons than the same orsimilar data storage service in another zone. Despite the advantages ofone zone over another, as noted above, various concerns may result in arequirement or preference that data be stored in one zone or anotherzone. Different jurisdictions may have different regulations regardingvarious types of data, for instance. Thus, in order to achieve someadvantages and/or generally comply with various regulations, some datamay be stored in one zone and other data may be stored in another zonein order to comply with various requirements and/or preferences.

Accordingly, a storage service proxy (or proxy for another service) mayactively make decisions where to store data based at least in part onvarious factors. For example, some customers may request through anaccount configuration or as a parameter in an API call, that their databe stored in a particular zone. As another example, some types of datamay be stored for the same customer in one zone while other types ofdata may be stored in another zone due to varying regulatoryrequirements. As yet another example, a customer may configure computingresources of a computing resource service provider so that the serviceproxy applies one or more DLP policies so that some data is sent to onezone and other data is sent to another zone. FIG. 12 accordingly showsan illustrative example of an environment 1200 in which variousembodiments that utilize selection from multiple zones may be practiced.

As illustrated in FIG. 12, the environment 1200 includes customerpremises 1202, a virtual zone 1204, and one or more backing zones 1206.In this particular example, FIG. 12 illustrates n backing zones where nis a positive integer. It should be noted that while the virtual zone1204 relative to the customer premises 1202 are illustrated as with FIG.3, variations such as those shown in FIG. 4 are considered as beingwithin the scope of the present disclosure. As illustrated in FIG. 12, acustomer 1208 submits requests and receives responses from a storageservice proxy 1210 or other service proxy and a photography service1212. Each of the backing zones 1206 may include a backing service andan authentication service such as described above, although suchservices are not illustrated in FIG. 12 for the purpose ofsimplification. In an embodiment, the customer 1208 submits requests tothe storage service proxy 1210 which then may select and submitcorresponding requests to one of the backing zones 1206 as appropriate.Appropriateness may be determined in accordance with DLP policy,customer preferences, account configuration, API call parameters and thelike.

FIG. 13 shows an illustrative example of a process 1300 which may beused to utilize various backing services, such as illustrated in FIG.12, in accordance with various embodiments. As illustrated in FIG. 13,the process 1300 includes obtaining 1302 customer data. Customer datamay be obtained, for example, from the customer's computer systemsthemselves or from other computer systems on behalf of the customer,such as when the customer utilizes a computer resource service providerto provide a service to various members of the public or generally toother customers of the customer. When the customer data is obtained 1302the process 1300 may include determining 1304 a backing zone for thecustomer data. Determining 1304 the backing zone can be performed invarious ways in accordance with variance embodiments. For example, asnoted above, account configuration for a customer may indicate whichbacking zone is to be used. As another example, the nature of the dataitself may be used to determine which backing zone to use. For instance,if data is organized according to a schema, the data's locationaccording to the schema may be used to determine which backing zone touse. As yet another example, a source (network address, user identity,political jurisdiction, etc.) of the customer data may be used todetermine the backing zone. Generally, any way in which a backing zonemay be determined may be used.

Upon determining 1304, the backing zone for the customer data theprocess 1300 may include requesting 1306 a data key from a localcryptography service such as described above, or generally from anothersuitable cryptography service such as described above. Accordingly, adata key and encrypted data key may be received 1308 from thecryptography service to which the request for the data key wassubmitted. The data key may then be used 1310 to encrypt the customerdata and a data object comprising the encrypted customer data and theencrypted data key may be generated 1312. The data object may then betransmitted 1314 to a backing storage service in the determined backingzone. The unencrypted data key may then be destroyed 1316 such asdescribed above.

It should be noted that variations of the process 1300 are considered asbeing within the scope of the present disclosure including variations ofthe various processes described above for transmitting data to a backingservice. FIG. 14 shows an illustrative example of a process 1400 forselectively encrypting data and providing the data to a backing servicein accordance with an embodiment. In particular, the process 1400utilizes various data loss prevention techniques such as those describedin U.S. Pat. No. 8,416,709 which is incorporated herein by reference.The process 1400 of FIG. 14 may be performed by any suitable system,such as by a service proxy such as described above. The traffic mayinclude, for example, one or more data packets such as IP ortransmission control protocol (TCP) packets, handshake requests, such asa portion of the three part TCP handshake or an SSL handshake, or otherappropriate data packets. The network traffic may be received from acustomer such as described above or another entity associated with thecustomer such as described above. In some embodiments, the traffic isreceived through an application programming interface (e.g., web serviceinterface) of a system performing the process 1400. The network trafficmay be analyzed 1404 with respect to one or more DLP policy criteria.DLP policy criteria may include those discussed in U.S. Pat. No.8,416,709, noted above. For example, data in IP or TCP packets may beinspected for data of certain data types, such as credit card numbers,social security numbers, and/or any other types of data that may beconsidered sensitive or otherwise for which modification is desired.

A determination may be made 1406 whether the DLP's criteria aresatisfied. If it is determined 1406 that the DLP criteria are satisfied,the process 1400 may include encrypting 1408 the network traffic thatwas received, and transmitting 1410 the network to the backing service.If, however, it is determined 1406 that the DLP criteria are notsatisfied, then the network traffic may be transmitted 1410 to thebacking service without being encrypted.

As discussed above, various variations are considered as being withinthe scope of the present disclosure, including decrypting some but notall of the data when DLP criteria are satisfied. In addition, additionalactions may be taken in addition to or as an alternative to encryptionof the data. Sample actions include, but are not limited tosnapshotting, i.e., copying, the network traffic that was received andpersisting the snapshot in a data storage service such as the backingservice or another data storage service performing packet tracing,performing a quarantine of the network traffic that was received,initiating enhanced logging of network traffic, and/or denial of theaction. Generally, any type of action configured to address DLP concernsmay be used. In addition, the actions that are taken when a DLP or otherpolicy criteria are satisfied may be configurable by a customer.Generally, data may be manipulated in accordance with customerspecifications utilizing techniques such as those described in U.S.patent application Ser. No. 13/491,403, filed on Jun. 7, 2012, entitled“FLEXIBLY CONFIGURABLE DATA MODIFICATION SERVICES,” which isincorporated herein by reference.

In particular, a customer may specify certain rules by which varioustypes of data, inbound and/or outbound from customer devices or otherdevices, may be modified, upon which various components of thedistributed computing system are utilized to implement the rules, e.g.,using packet mangling techniques. For example, the customer may specifythat data through a service proxy to specific external device types orlocales must conform to a customer-provided specification (e.g., forregulatory compliance and/or performance optimization), upon which thedistributed computing system determines the necessary alterations anddata patterns (or other markers) to which they apply. Thereafter, in theexample given, the implementation may include redirection of some or allof the network traffic between the customer and the external device inquestion to a component of the distributed computing system, such as abacking service. Upon processing in the determined manner, theredirected data may be relayed to the original destination. As will becontemplated, a similar process may be utilized for inbound networktraffic.

In another example, the data alteration service may be effective tomodify data transiting, through the service proxy, between twovirtualized instances of the distributed computing system, one of whichis controlled by a customer requesting the service, while the other iscontrolled by a different customer. A separate virtualized instance ofthe distributed computing system implemented in the service proxy may beinvoked to implement the customer-requested rules, or in someembodiments, the same instance from whence (or to which) the datadesired to be modified may perform the actual modification, e.g., in aquarantine or “sandbox.” It is contemplated that data transiting to orfrom any device or component controlled by a service-requestingcustomer, whether physical, virtual, aggregated or otherwise, to adevice not under control by the customer (without regard to its nature),may be subject to packet mangling by the service. The service may, insome embodiments, be granularly controllable based on a number ofcriteria, including customer or external device type, geographiclocation, and the like.

An example implementation of such a data alteration service may includethe generation of one or more policies that apply to some or allcomponents involved in a given data transaction type. The policies, insome embodiments, are generated by the distributed computing system uponreceipt of customer-defined rules, and may take into account data type,connected device type, customer characteristics, network topology, orany other characteristics relevant to the generation of an effectivepolicy. Such policies, when broadcasted to the relevant devices, canensure that all controlled devices (or a desired subset thereof) act toimplement the associated customer-defined rules in a unified,predictable fashion. In embodiments where a customer controls asignificant plurality of devices at varying levels of abstraction and/oraccess, such policies may also ensure that, e.g., mission-critical orstrict rules take effect across all affected devices.

Further, additional operations may be performed in connection with theprocess 1400. For example, the analysis 1404 of the network traffic mayinform the performance of one or more other operations. In someembodiments, for instance, a cryptographic key may be determined basedat least in part on the analysis. Some types of data may, for example,may require (e.g., in accordance with one or more regulations and/orpreferences) stronger encryption than other types of data. If theanalysis finds one type of data, the data may be encrypted using a keythat is smaller than another type of data that could be determined bythe analysis. A first type of data, for instance, may require encryptionusing a 128-bit key whereas another type of data may require encryptionusing a 256-bit key. The key, accordingly, may be determined (e.g.,generated or obtained from data storage) based on the analysis.

FIG. 15 illustrates aspects of an example environment 1500 forimplementing aspects in accordance with various embodiments. As will beappreciated, although a web-based environment is used for purposes ofexplanation, different environments may be used, as appropriate, toimplement various embodiments. The environment includes an electronicclient device 1502, which can include any appropriate device operable tosend and receive requests, messages or information over an appropriatenetwork 1504 and convey information back to a user of the device.Examples of such client devices include personal computers, cell phones,handheld messaging devices, laptop computers, tablet computers, set-topboxes, personal data assistants, embedded computer systems, electronicbook readers and the like. The network can include any appropriatenetwork, including an intranet, the Internet, a cellular network, alocal area network or any other such network or combination thereof.Components used for such a system can depend at least in part upon thetype of network and/or environment selected. Protocols and componentsfor communicating via such a network are well known and will not bediscussed herein in detail. Communication over the network can beenabled by wired or wireless connections and combinations thereof. Inthis example, the network includes the Internet, as the environmentincludes a web server 1506 for receiving requests and serving content inresponse thereto, although for other networks an alternative deviceserving a similar purpose could be used as would be apparent to one ofordinary skill in the art.

The illustrative environment includes at least one application server1508 and a data store 1510. It should be understood that there can beseveral application servers, layers or other elements, processes orcomponents, which may be chained or otherwise configured, which caninteract to perform tasks such as obtaining data from an appropriatedata store. Servers, as used herein, may be implemented in various ways,such as hardware devices or virtual computer systems. In some contexts,servers may refer to a programming module being executed on a computersystem. As used herein the term “data store” refers to any device orcombination of devices capable of storing, accessing and retrievingdata, which may include any combination and number of data servers,databases, data storage devices and data storage media, in any standard,distributed or clustered environment. The application server can includeany appropriate hardware and software for integrating with the datastore as needed to execute aspects of one or more applications for theclient device, handling some (even a majority) of the data access andbusiness logic for an application. The application server may provideaccess control services in cooperation with the data store and is ableto generate content such as text, graphics, audio and/or video to betransferred to the user, which may be served to the user by the webserver in the form of HyperText Markup Language (“HTML”), ExtensibleMarkup Language (“XML”) or another appropriate structured language inthis example. The handling of all requests and responses, as well as thedelivery of content between the client device 1502 and the applicationserver 1508, can be handled by the web server. It should be understoodthat the web and application servers are not required and are merelyexample components, as structured code discussed herein can be executedon any appropriate device or host machine as discussed elsewhere herein.Further, operations described herein as being performed by a singledevice may, unless otherwise clear from context, be performedcollectively by multiple devices, which may form a distributed system.

The data store 1510 can include several separate data tables, databasesor other data storage mechanisms and media for storing data relating toa particular aspect of the present disclosure. For example, the datastore illustrated may include mechanisms for storing production data1512 and user information 1516, which can be used to serve content forthe production side. The data store also is shown to include a mechanismfor storing log data 1514, which can be used for reporting, analysis orother such purposes. It should be understood that there can be manyother aspects that may need to be stored in the data store, such as forpage image information and to access right information, which can bestored in any of the above listed mechanisms as appropriate or inadditional mechanisms in the data store 1510. The data store 1510 isoperable, through logic associated therewith, to receive instructionsfrom the application server 1508 and obtain, update or otherwise processdata in response thereto. In one example, a user, through a deviceoperated by the user, might submit a search request for a certain typeof item. In this case, the data store might access the user informationto verify the identity of the user and can access the catalog detailinformation to obtain information about items of that type. Theinformation then can be returned to the user, such as in a resultslisting on a web page that the user is able to view via a browser on theuser device 1502. Information for a particular item of interest can beviewed in a dedicated page or window of the browser. It should be noted,however, that embodiments of the present disclosure are not necessarilylimited to the context of web pages, but may be more generallyapplicable to processing requests in general, where the requests are notnecessarily requests for content.

Each server typically will include an operating system that providesexecutable program instructions for the general administration andoperation of that server and typically will include a computer-readablestorage medium (e.g., a hard disk, random access memory, read onlymemory, etc.) storing instructions that, when executed by a processor ofthe server, allow the server to perform its intended functions. Suitableimplementations for the operating system and general functionality ofthe servers are known or commercially available and are readilyimplemented by persons having ordinary skill in the art, particularly inlight of the disclosure herein.

The environment in one embodiment is a distributed computing environmentutilizing several computer systems and components that areinterconnected via communication links, using one or more computernetworks or direct connections. However, it will be appreciated by thoseof ordinary skill in the art that such a system could operate equallywell in a system having fewer or a greater number of components than areillustrated in FIG. 15. Thus, the depiction of the system 1500 in FIG.15 should be taken as being illustrative in nature and not limiting tothe scope of the disclosure.

The various embodiments further can be implemented in a wide variety ofoperating environments, which in some cases can include one or more usercomputers, computing devices or processing devices which can be used tooperate any of a number of applications. User or client devices caninclude any of a number of general purpose personal computers, such asdesktop, laptop or tablet computers running a standard operating system,as well as cellular, wireless and handheld devices running mobilesoftware and capable of supporting a number of networking and messagingprotocols. Such a system also can include a number of workstationsrunning any of a variety of commercially-available operating systems andother known applications for purposes such as development and databasemanagement. These devices also can include other electronic devices,such as dummy terminals, thin-clients, gaming systems and other devicescapable of communicating via a network.

Various embodiments of the present disclosure utilize at least onenetwork that would be familiar to those skilled in the art forsupporting communications using any of a variety ofcommercially-available protocols, such as Transmission ControlProtocol/Internet Protocol (“TCP/IP”), protocols operating in variouslayers of the Open System Interconnection (“OSI”) model, File TransferProtocol (“FTP”), Universal Plug and Play (“UpnP”), Network File System(“NFS”), Common Internet File System (“CIFS”) and AppleTalk. The networkcan be, for example, a local area network, a wide-area network, avirtual private network, the Internet, an intranet, an extranet, apublic switched telephone network, an infrared network, a wirelessnetwork and any combination thereof.

In embodiments utilizing a web server, the web server can run any of avariety of server or mid-tier applications, including Hypertext TransferProtocol (“HTTP”) servers, FTP servers, Common Gateway Interface (“CGI”)servers, data servers, Java servers and business application servers.The server(s) also may be capable of executing programs or scripts inresponse requests from user devices, such as by executing one or moreweb applications that may be implemented as one or more scripts orprograms written in any programming language, such as Java®, C, C# orC++, or any scripting language, such as Perl, Python or TCL, as well ascombinations thereof. The server(s) may also include database servers,including without limitation those commercially available from Oracle®,Microsoft®, Sybase® and IBM®.

The environment can include a variety of data stores and other memoryand storage media as discussed above. These can reside in a variety oflocations, such as on a storage medium local to (and/or resident in) oneor more of the computers or remote from any or all of the computersacross the network. In a particular set of embodiments, the informationmay reside in a storage-area network (“SAN”) familiar to those skilledin the art. Similarly, any necessary files for performing the functionsattributed to the computers, servers or other network devices may bestored locally and/or remotely, as appropriate. Where a system includescomputerized devices, each such device can include hardware elementsthat may be electrically coupled via a bus, the elements including, forexample, at least one central processing unit (“CPU” or “processor”), atleast one input device (e.g., a mouse, keyboard, controller, touchscreen or keypad) and at least one output device (e.g., a displaydevice, printer or speaker). Such a system may also include one or morestorage devices, such as disk drives, optical storage devices andsolid-state storage devices such as random access memory (“RAM”) orread-only memory (“ROM”), as well as removable media devices, memorycards, flash cards, etc.

Such devices also can include a computer-readable storage media reader,a communications device (e.g., a modem, a network card (wireless orwired), an infrared communication device, etc.) and working memory asdescribed above. The computer-readable storage media reader can beconnected with, or configured to receive, a computer-readable storagemedium, representing remote, local, fixed and/or removable storagedevices as well as storage media for temporarily and/or more permanentlycontaining, storing, transmitting and retrieving computer-readableinformation. The system and various devices also typically will includea number of software applications, modules, services or other elementslocated within at least one working memory device, including anoperating system and application programs, such as a client applicationor web browser. It should be appreciated that alternate embodiments mayhave numerous variations from that described above. For example,customized hardware might also be used and/or particular elements mightbe implemented in hardware, software (including portable software, suchas applets) or both. Further, connection to other computing devices suchas network input/output devices may be employed.

Storage media and computer readable media for containing code, orportions of code, can include any appropriate media known or used in theart, including storage media and communication media, such as, but notlimited to, volatile and non-volatile, removable and non-removable mediaimplemented in any method or technology for storage and/or transmissionof information such as computer readable instructions, data structures,program modules or other data, including RAM, ROM, Electrically ErasableProgrammable Read-Only Memory (“EEPROM”), flash memory or other memorytechnology, Compact Disc Read-Only Memory (“CD-ROM”), digital versatiledisk (DVD) or other optical storage, magnetic cassettes, magnetic tape,magnetic disk storage or other magnetic storage devices or any othermedium which can be used to store the desired information and which canbe accessed by the system device. Based on the disclosure and teachingsprovided herein, a person of ordinary skill in the art will appreciateother ways and/or methods to implement the various embodiments.

The specification and drawings are, accordingly, to be regarded in anillustrative rather than a restrictive sense. It will, however, beevident that various modifications and changes may be made thereuntowithout departing from the broader spirit and scope of the invention asset forth in the claims.

Other variations are within the spirit of the present disclosure. Thus,while the disclosed techniques are susceptible to various modificationsand alternative constructions, certain illustrated embodiments thereofare shown in the drawings and have been described above in detail. Itshould be understood, however, that there is no intention to limit theinvention to the specific form or forms disclosed, but on the contrary,the intention is to cover all modifications, alternative constructionsand equivalents falling within the spirit and scope of the invention, asdefined in the appended claims.

The use of the terms “a” and “an” and “the” and similar referents in thecontext of describing the disclosed embodiments (especially in thecontext of the following claims) are to be construed to cover both thesingular and the plural, unless otherwise indicated herein or clearlycontradicted by context. The terms “comprising,” “having,” “including”and “containing” are to be construed as open-ended terms (i.e., meaning“including, but not limited to,”) unless otherwise noted. The term“connected,” when unmodified and referring to physical connections, isto be construed as partly or wholly contained within, attached to orjoined together, even if there is something intervening. Recitation ofranges of values herein are merely intended to serve as a shorthandmethod of referring individually to each separate value falling withinthe range, unless otherwise indicated herein and each separate value isincorporated into the specification as if it were individually recitedherein. The use of the term “set” (e.g., “a set of items”) or “subset”unless otherwise noted or contradicted by context, is to be construed asa nonempty collection comprising one or more members. Further, unlessotherwise noted or contradicted by context, the term “subset” of acorresponding set does not necessarily denote a proper subset of thecorresponding set, but the subset and the corresponding set may beequal.

Conjunctive language, such as phrases of the form “at least one of A, B,and C,” or “at least one of A, B and C,” unless specifically statedotherwise or otherwise clearly contradicted by context, is otherwiseunderstood with the context as used in general to present that an item,term, etc., may be either A or B or C, or any nonempty subset of the setof A and B and C. For instance, in the illustrative example of a sethaving three members used in the above conjunctive phrase, “at least oneof A, B, and C” and “at least one of A, B and C” refers to any of thefollowing sets: {A}, {B}, {C}, {A, B}, {A, C}, {B, C}, {A, B, C}. Thus,such conjunctive language is not generally intended to imply thatcertain embodiments require at least one of A, at least one of B and atleast one of C to each be present.

Operations of processes described herein can be performed in anysuitable order unless otherwise indicated herein or otherwise clearlycontradicted by context. Processes described herein (or variationsand/or combinations thereof) may be performed under the control of oneor more computer systems configured with executable instructions and maybe implemented as code (e.g., executable instructions, one or morecomputer programs or one or more applications) executing collectively onone or more processors, by hardware or combinations thereof. The codemay be stored on a computer-readable storage medium, for example, in theform of a computer program comprising a plurality of instructionsexecutable by one or more processors. The computer-readable storagemedium may be non-transitory.

The use of any and all examples, or exemplary language (e.g., “such as”)provided herein, is intended merely to better illuminate embodiments ofthe invention and does not pose a limitation on the scope of theinvention unless otherwise claimed. No language in the specificationshould be construed as indicating any non-claimed element as essentialto the practice of the invention.

Preferred embodiments of this disclosure are described herein, includingthe best mode known to the inventors for carrying out the invention.Variations of those preferred embodiments may become apparent to thoseof ordinary skill in the art upon reading the foregoing description. Theinventors expect skilled artisans to employ such variations asappropriate and the inventors intend for embodiments of the presentdisclosure to be practiced otherwise than as specifically describedherein. Accordingly, the scope of the present disclosure includes allmodifications and equivalents of the subject matter recited in theclaims appended hereto as permitted by applicable law. Moreover, anycombination of the above-described elements in all possible variationsthereof is encompassed by the scope of the present disclosure unlessotherwise indicated herein or otherwise clearly contradicted by context.

All references, including publications, patent applications and patents,cited herein are hereby incorporated by reference to the same extent asif each reference were individually and specifically indicated to beincorporated by reference and were set forth in its entirety herein.

What is claimed is:
 1. A system, comprising: a first data storageservice comprising a plurality of data storage devices and a first webservice interface configured to receive web service requests transmittedto the first web service interface, the first data storage service beingconfigured to process the web service requests transmitted to the firstweb service interface using the plurality of data storage devices; asecond data storage service comprising a second web service interface,the second data storage service configured to operate as a proxy to thefirst data storage service by at least: receiving, to the second webservice interface, a request from a requestor to store data; encryptingthe data using a cryptographic key inaccessible to the first datastorage service; transmitting the encrypted data to the first datastorage service for persistent storage on behalf of the requestor; andmaintain access to the cryptographic key while preventing access to thecryptographic key by the first data storage service.
 2. The system ofclaim 1, wherein: the first data storage service is implemented withcomputing resources in a first set of one or more facilities; and thesecond data storage service is implemented with computing resources in asecond set of one or more facilities that is disjoint from the first setof one or more facilities.
 3. The system of claim 1, wherein both thefirst web service interface and the second web service interface areeach publicly addressable interfaces in a public communications network.4. The system of claim 1, wherein the second data storage service isconfigured to encrypt the data without requiring the requestor tospecify that the data should be encrypted.
 5. The system of claim 1,wherein the second data storage service is further configured to:receive, to the second web service interface, a request to retrieve thedata; obtain the encrypted data from the first data storage service; usethe key to decrypt the encrypted data; and provide the decrypted data.6. The system of claim 1, wherein the first data storage service andsecond data storage service are implemented in different legaljurisdictions.
 7. The system of claim 1, wherein the first data storageservice is configured to operate in accordance with a first set ofregulations and the second data storage service is configured to operatein accordance in accordance with a second set of regulations that isdifferent from the first set of regulations.
 8. A system, comprising:one or more processors; and memory comprising computer executableinstructions that, when executed by the one or more processors, causethe system to: operate an application programming interface to whichrequests are submittable over a network; for each first request of atleast a plurality of requests submitted to the application programminginterface, process the first request by at least: using a key to performone or more cryptographic operations on data involved in processing thefirst request; and transmitting, across a network, a second request to aservice that causes the service to perform one or more operations on thedata in encrypted form, the service lacking access to the key and beingconfigured to be independently capable of processing the first request.9. The system of claim 8, wherein: the system is operated as part of afirst instance of a service type provided by a service provider; and theservice is operated as part of a second instance of the service typeprovided by the service provider.
 10. The system of claim 8, wherein theapplication programming interface is a web service interface.
 11. Thesystem of claim 8, wherein: at least some of the plurality of requestsare transmitted by different entities; and each different entitycorresponds to an account of the service.
 12. The system of claim 8,wherein: the executable instructions further cause the system toselectively determine whether to perform the one or more cryptographicoperations when processing requests; and the plurality of requests are asubset of a set of requests processed by the system, the subsetconsisting of requests for which the system has selectively determinedto perform the one or more cryptographic operations.
 13. The system ofclaim 8, wherein the executable instructions further cause the system toselect the service from a plurality of services capable of being used inprocessing the first request.
 14. The system of claim 8, wherein: thesecond request to the service causes the service to perform one or moreoperations on unencrypted data and provide, to the system, a result ofperformance of the one or more operations and the data in encryptedform; using the key to perform the one or more cryptographic operationsincludes decrypting the data in encrypted form; and the executableinstructions further cause the system to perform one or more operationson a collection of data comprising the unencrypted data and thedecrypted data.
 15. The system of claim 8, wherein the service isoperated by a first organizational entity that is different from asecond organizational entity that operates the system.
 16. Acomputer-implemented method, comprising: under the control of one ormore computer systems configured with executable instructions,receiving, from a requestor at a network address of the one or morecomputer systems, an application programming interface request toperform one or more operations; and processing the applicationprogramming interface request by at least: transmitting, over a network,a request to a service that is configured to be independently capable ofperforming the one or more operations, the request being configured tocauses the service to perform one or more service operations onencrypted data, the encrypted data being encrypted under a key that isinaccessible to the service; and using the key to perform one or morecryptographic operations in connection with the encrypted data.
 17. Thecomputer-implemented method of claim 16, wherein: the one or morecryptographic operations include encryption of data to obtain theencrypted data; and the one or more service operations includepersistent storage of the encrypted data.
 18. The computer-implementedmethod of claim 16, wherein the network address is a public Internetprotocol address.
 19. The computer-implemented method of claim 16,wherein the method further comprises selecting the service from aplurality of services each independently capable of performing the oneor more operations.
 20. The computer-implemented method of claim 16,wherein performing the one or more cryptographic operations includestransmitting, over the network to a cryptography service, a request thatcauses the cryptography service to perform one or more othercryptographic operations using cryptographic information that isinaccessible to both the one or more computer systems and the service.21. The computer-implemented method of claim 16, wherein the networkaddress is associated with a string that is usable for obtaining thenetwork address from a domain name service, the string beingunassociated with a network address for the service by any domain nameservice.
 22. One or more computer-readable storage media havingcollectively stored therein computer executable instructions that, whenexecuted by one or more processors of a computer system, cause thecomputer system to: provide an application programming interfaceaccessible at a network address; receive, at the application programminginterface, an application programming interface request to perform oneor more operations on a set of data; fulfill the received request by, atleast in part: causing at least a subset of the set of data to beencrypted under a key kept inaccessible to a remote service; utilizingthe remote service to perform at least a subset of the one or moreoperations on the set of data such that, for the subset of the set ofdata, the remote service has access to the subset of the set of dataonly in encrypted form.
 23. The one or more computer-readable storagemedia of claim 22, wherein: the network address is a public Internetprotocol address; and utilizing the remote service includes transmittinga request to the remote service addressed to a public Internet protocoladdress of the remote service.
 24. The one or more computer-readablestorage media of claim 22, wherein: the application programminginterface request is a request, from a requestor, to perform a requestedoperation; and the remote service is independently capable of performingthe requested operation for the requestor.
 25. The one or morecomputer-readable storage media of claim 22, wherein: the computerexecutable instructions further cause the computer system to analyze theapplication programming interface request to determine whether torestrict access by the remote service to the subset of the data inencrypted form; and the remote service only having access to the subsetof the data in encrypted form as a result of determining to restrictaccess by the remote service to the subset of the data in encryptedform.
 26. The one or more computer-readable storage media of claim 25,wherein: as a result of determining to restrict access by the remoteservice to the subset, the instructions further cause the computersystem to determine, based at least in part on the analysis, anencryption key; restricting access by the remote service includesencrypting at least a portion of the subset using the determinedencryption key.
 27. The one or more computer-readable storage media ofclaim 22, wherein: the application programming interface request is froma requestor; a plurality of services that include the remote service arecapable of being utilized by the computer system for fulfilling theapplication programming interface request; and the computer executableinstructions further cause the computer system to select, from theplurality of services, the remote service based at least in part on aconfiguration setting specific to the requestor.
 28. The one or morecomputer-readable storage media of claim 22, wherein: the computerexecutable instructions further cause the computer system to encrypt thesubset of the set of data using the key; and utilizing the remoteservice to perform one or more operations includes submitting a storagerequest to the remote service to store the set of data.